gRPC Security¶
TL;DR¶
gRPC uses binary Protocol Buffers over HTTP/2. Harder to test than REST but same vulnerability classes apply.
Key issues: Plaintext communication, reflection enabled, injection via protobuf fields.
Detection¶
Check for Plaintext¶
If it works → no TLS.
Wireshark: Capture port 50051, messages visible in clear.
Common Ports¶
Service Reflection (Schema Leak)¶
Like GraphQL introspection:
# List all services
grpcurl -plaintext 127.0.0.1:50051 list
# List methods in a service
grpcurl -plaintext 127.0.0.1:50051 list blog.BlogService
# Describe a method
grpcurl -plaintext 127.0.0.1:50051 describe blog.BlogService.CreatePost
Exploitation¶
SQL Injection¶
Then inject in fields:
Call Methods¶
# Call a method with JSON input
grpcurl -plaintext -d '{"id": 1}' \
127.0.0.1:50051 blog.BlogService.GetPost
# Stream
grpcurl -plaintext -d @ 127.0.0.1:50051 chat.ChatService.Stream
Authorization Bypass¶
gRPC methods often lack per-method auth. Check: - Admin methods callable without auth - Cross-tenant data access - Internal methods exposed
Protobuf Issues¶
Insecure Definitions¶
- Services expose more data than needed
- Sensitive fields in responses
- Streaming misconfigured
Unknown Fields¶
Protobuf silently ignores unknown fields. Inject extra fields:
Backend might process isAdmin if it exists in the actual proto.
Tools¶
| Tool | Usage |
|---|---|
| grpcurl | CLI for gRPC interaction |
| grpcui | Web UI for testing gRPC |
| Burp + grpcui | Intercept via grpcui proxy |
| protoc | Compile/decompile protobuf |
Setup grpcui with Burp¶
CVEs¶
| CVE | Impact |
|---|---|
| CVE-2024-37168 | gRPC-js DoS via memory allocation |
| CVE-2024-* | gRPC-C++ data corruption (zero-copy) |
Checklist¶
- Plaintext enabled?
- Reflection enabled?
- Injection in fields?
- Auth on each method?
- Cross-tenant access?
- Admin methods exposed?